CIPHER is a Capture The Flag-style exercise in IT security for
teams of students from universities. The task is to maintain a server
running multiple services, while simultaneously trying to get unauthorized access to
the other team's servers. Each successful penetration gains points, as
well as keeping the own services up and functional during the course of the game.

Description

The exercise consists of multiple teams, each hosting a server that has
multiple services running, like e.g. a webserver, a mail server, or
customized services. The services contain typical security vulnerabilities
that allow to compromise the server to a certain extend.

The goal is to maintain the services up, functional and uncompromised
for the duration of the game. Additional scores can be gained by
patching the vulnerabilities of the services and exploiting the knowledge
of the found weaknesses at the other team's servers.

The focus of the exercise is on application layer security.

Registration and More Information

For more information send a mail to .

We will preliminary stop registration, if we have 30 teams. So if you consider participating, don't hesitate too long!
Slots usually fill up quickly.

Also, we will only accept a single team from each affiliation - multiple teams will only get accepted, if there are
less than 30 teams registered by the end of the official registration phase.

NEW If you are a single person, or if you just want to have a sniff of adventure and therefore
join the contest without all the work of being an actual particpant: please check the section third party access
on the bottom of this page!

To register your team, please fill in the following form:

Affiliation/University

Country

Team's Nickname

Contact person

(name and email address, (*) see below)

Technical contact

(name and email address)

Number of participants

Additional information

(*)only registrations with official university email adresses are allowed. Also, the contact
person should be an employee of the university, i.e. a lecturer or professor. Any other registration
will be silently dropped.

Organisational Details

The exercise is scheduled for July 9th (date is still subject to possible changes). It will
start at 6pm CEST and last until 1am CEST (GMT+2, UTC+2) on the next day.

Only teams of up to 7 members from a single university
are allowed to sign up. The limit is hard and includes everybody
actively participating in defense and offense.

Each team needs to have a contact person that does not actively
take part in the exercise and is responsible for the team's ethical behaviour.

Each team needs to have a contact person that is responsible for
technical stuff, esp. the VPN connection and the machine setup. This
person should answer to emails within 8 to 10h or faster. Presence in
the IRC or Instant Messenger are a plus.

Professionals should contact us, before subscribing. Please note that we will
reserve the majority of slots for university teams. However we will make sure that
at least one or two slots will be free for non-univeristy teams to enter the competition.

These teams have already pointed out their interest to the contest:

1: Katholieke Universiteit Leuven, Belgium

2: Amrita University, India

3: Technische Universität Berlin

4: Saint-Petersburg State University of Information Technologies

5: UCSB, USA

6: FH OOE, Campus Hagenberg, Austria

7: University of Kassel, Germany

8: Technische Universität Darmstadt

9: Ruhr University Bochum, Germany

10: Ural State University, Russia

11: TU Vienna, Austria

12: UGATU, Russia

13: Ural State Technical University - UPI

14: Ecole de technologie superieure, Canada

15: University of Regensburg, Germany

16: Tomsk State University of Control Systems and Radioelectronics, Russia

17: South Ural State University, Russia

18: University Mannheim, Germany

19: Chelyabinsk State University, Russia

20: Kant SU of Russia

21: Universidad Nacional de La Plata, Argentina

22: Saint-Petersburg State University of Engineering and Economics

23: Tomsk State University, Russia

24: RPI, US

25: Samara State Technical University, Russia

26: Southern Federal University, Russia

27: SoonChunHyang University, Seoul National University and Korea Advanced Institute of Science and Technology, Korea

each team sets up its VPN and the test image according to the instructions

July, 8th, 20:00

July, 8th, 14:00

July, 8th, 11:00

distribution of the encrypted virtual image

July, 9th, 17:00

July, 9th, 11:00

July, 9th, 8:00

all teams should have their VPNs running to check pairwise connectivity (please don't block pings!)

July, 9th, 17:30

July, 9th, 11:30

July, 9th, 8:30

Game start: the key to the encrypted image is published in the IRC and by e-mail. The game starts :-)

Teams decrypt and setup the image

July, 9th, 19:00

July, 9th, 13:00

July, 9th, 10:00

the score bot starts checking for services

Main contest is here

July, 10th, 01:00

July, 9th, 19:00

July, 9th, 16:00

the exercise is over, declaration of the winning team

Technical Details

The contest will consist of multiple teams, each hosting a server that has multiple services running,
like e.g. a webserver, a mail server, or customized services. The services contain typical security
vulnerabilities that allow to compromise the server to a certain extend.

We recommend to use two different host systems for routing and the vulnerable image due to robustness
reasons. The router, i.e. a team's gateway, can be any kind of hardware - any machine with two network
interfaces will do the job. Note that this machine should still be able to run at least one instance of
openvpn. The host machine carrying the vulnerable image should have at least 1GHz and 512MB of RAM, more
is preferred, and at least 1GB of RAM is recommended. If the virtual image will run on the gateway,
the box should have at least 1.5GHz and 1GB RAM minimum. In addition to these two machines every player
will need a terminal to access the services of their own server and the other teams' servers. Whatever
the students can work with, will suffice here.

The vulnerable image will be for x86-architectures with 32bit.

As we did in CIPHER2, 3 and 4 we will add an additional server to the game which will serve the same services as the
other servers. In contrast to the team servers, this one will not be maintained by players but
serve as a mere target without an defending team.

Differences to previous CTF Contests

This section contains some ideas that will likely differ from previous contests.

Third Party Access: We will allow a limited and registered set of interested individuals take part
in the contest as third parties. These will not get scored, neither will they host images, but only
be allowed access to the VPN in order to attack the hosts.
If you are interested in participating this way, please contact the organizors of the contest
directly by mail.

Virtualization: we will use Virtualbox instead of VMWare this year..

Random Subnet Assignment:The teams will be assigned random sub nets -- this should make a little bit
more difficult to determine, which teams you are currently attacking.

Prizes:We're trying to organize a set of prizes for the winning teams. If you're a player,
please send us suggestions for prizes, if you're a sponsor, send us cool gadgets ;)

The scoring system will get much simpler this time. Currently we're thinking along these lines:

A flag is considered defended and gets scored with 1 point, if

it was successfuly retrieved by the gameserver (after around 2 min).

it wasn't submitted by another team by the end of its expiry time (about 15min).

A flag is considered caught and gets awarded with 1 point, if

the submitting team has the same service actively running, of which the flag originates